Skip to content
Snippets Groups Projects
Commit d6a58aa3 authored by apriestman's avatar apriestman
Browse files

Add full disk encryption detection

parent 3b4e0998
Branches
Tags
No related merge requests found
...@@ -322,8 +322,12 @@ TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype) ...@@ -322,8 +322,12 @@ TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype)
TSK_VS_INFO *vs_info; TSK_VS_INFO *vs_info;
// Use mm_walk to get the volumes // Use mm_walk to get the volumes
if ((vs_info = tsk_vs_open(m_img_info, a_start, a_vtype)) == NULL) { if ((vs_info = tsk_vs_open(m_img_info, a_start, a_vtype)) == NULL) {
/* we're going to ignore this error to avoid confusion if the
* fs_open passes. */ /* If the error code is for encryption, we will register it. Otherwise,
* ignore this error to avoid confusion if the fs_open passes. */
if (tsk_error_get_errno() == TSK_ERR_VS_ENCRYPTED) {
registerError();
}
tsk_error_reset(); tsk_error_reset();
if(tsk_verbose) if(tsk_verbose)
......
...@@ -71,7 +71,8 @@ uint8_t TskIsImageSupported::handleError() ...@@ -71,7 +71,8 @@ uint8_t TskIsImageSupported::handleError()
TSK_ERROR_INFO* lastError = tsk_error_get_info(); TSK_ERROR_INFO* lastError = tsk_error_get_info();
if (lastError != NULL) { if (lastError != NULL) {
uint32_t errCode = lastError->t_errno; uint32_t errCode = lastError->t_errno;
if (errCode == TSK_ERR_FS_ENCRYPTED) {
if (errCode == TSK_ERR_FS_ENCRYPTED || errCode == TSK_ERR_VS_ENCRYPTED) {
tsk_error_print(stdout); tsk_error_print(stdout);
m_wasEncryptionFound = true; m_wasEncryptionFound = true;
} }
......
...@@ -332,7 +332,8 @@ extern "C" { ...@@ -332,7 +332,8 @@ extern "C" {
#define TSK_ERR_VS_BUF (TSK_ERR_VS | 5) #define TSK_ERR_VS_BUF (TSK_ERR_VS | 5)
#define TSK_ERR_VS_BLK_NUM (TSK_ERR_VS | 6) #define TSK_ERR_VS_BLK_NUM (TSK_ERR_VS | 6)
#define TSK_ERR_VS_ARG (TSK_ERR_VS | 7) #define TSK_ERR_VS_ARG (TSK_ERR_VS | 7)
#define TSK_ERR_VS_MAX 8 #define TSK_ERR_VS_ENCRYPTED (TSK_ERR_VS | 8)
#define TSK_ERR_VS_MAX 9
#define TSK_ERR_POOL_UNKTYPE (TSK_ERR_POOL | 0) #define TSK_ERR_POOL_UNKTYPE (TSK_ERR_POOL | 0)
#define TSK_ERR_POOL_UNSUPTYPE (TSK_ERR_IMG | 1) #define TSK_ERR_POOL_UNSUPTYPE (TSK_ERR_IMG | 1)
......
...@@ -55,6 +55,7 @@ static const char *tsk_err_mm_str[TSK_ERR_VS_MAX] = { ...@@ -55,6 +55,7 @@ static const char *tsk_err_mm_str[TSK_ERR_VS_MAX] = {
"Invalid buffer size", // 5 "Invalid buffer size", // 5
"Invalid sector address", "Invalid sector address",
"Invalid API argument", "Invalid API argument",
"Encryption detected",
}; };
static const char *tsk_err_fs_str[TSK_ERR_FS_MAX] = { static const char *tsk_err_fs_str[TSK_ERR_FS_MAX] = {
......
...@@ -40,14 +40,65 @@ detectBitLocker(const char * buf, size_t len) { ...@@ -40,14 +40,65 @@ detectBitLocker(const char * buf, size_t len) {
// Look for the signature near the beginning of the buffer // Look for the signature near the beginning of the buffer
const char * signature = "-FVE-FS-"; const char * signature = "-FVE-FS-";
return detectSignature(signature, strlen(signature), 0, 32, buf, len); return detectSignature(signature, strlen(signature), 0, 16, buf, len);
} }
// Returns 1 if FileVault is found, 0 otherwise // Returns 1 if FileVault signature is found, 0 otherwise
int int
detectFileVault(const char * buf, size_t len) { detectFileVault(const char * buf, size_t len) {
// Look for the signature near the beginning of the buffer
const char * signature = "encrdsa"; const char * signature = "encrdsa";
return detectSignature(signature, strlen(signature), 0, 0, buf, len);
}
// Returns 1 if Check Point signature is found, 0 otherwise
int
detectCheckPoint(const char * buf, size_t len) {
// Look for the signature near the beginning of the buffer
const char * signature = "Protect";
return detectSignature(signature, strlen(signature), 80, 100, buf, len);
}
// Returns 1 if McAfee Safeboot signature is found, 0 otherwise
int
detectMcAfee(const char * buf, size_t len) {
// Look for the signature near the beginning of the buffer. Check two capitalizations.
const char * signature = "Safeboot";
const char * altSignature = "SafeBoot";
return (detectSignature(signature, strlen(signature), 0, 32, buf, len)
| detectSignature(altSignature, strlen(altSignature), 0, 32, buf, len));
}
// Returns 1 if Guardian Edge signature is found, 0 otherwise
int
detectGuardianEdge(const char * buf, size_t len) {
// Look for the signature near the beginning of the buffer
const char * signature = "PCGM";
return detectSignature(signature, strlen(signature), 0, 32, buf, len);
}
// Returns 1 if Sophos Safeguard signature is found, 0 otherwise
int
detectSophos(const char * buf, size_t len) {
// Look for the signature near the beginning of the buffer
const char * signature = "SGM400";
const char * altSignature = "SGE400";
return (detectSignature(signature, strlen(signature), 110, 150, buf, len)
| detectSignature(altSignature, strlen(altSignature), 110, 150, buf, len));
}
// Returns 1 if WinMagic SecureDoc signature is found, 0 otherwise
int
detectWinMagic(const char * buf, size_t len) {
// Look for the signature near the beginning of the buffer
const char * signature = "WMSD";
return detectSignature(signature, strlen(signature), 236, 256, buf, len);
}
// Returns 1 if Symantec PGP signature is found, 0 otherwise
int
detectSymantecPGP(const char * buf, size_t len) {
// Look for the signature near the beginning of the buffer
const char * signature = "\xeb\x48\x90PGPGUARD";
return detectSignature(signature, strlen(signature), 0, 32, buf, len); return detectSignature(signature, strlen(signature), 0, 32, buf, len);
} }
...@@ -167,5 +218,94 @@ detectVolumeEncryption(TSK_IMG_INFO * img_info, TSK_DADDR_T offset) { ...@@ -167,5 +218,94 @@ detectVolumeEncryption(TSK_IMG_INFO * img_info, TSK_DADDR_T offset) {
return result; return result;
} }
/**
* Detect full disk encryption in the image starting at the given offset.
* May return null on error. Note that client is responsible for freeing the result.
*
* @param img_info The open image
* @param offset The offset for the beginning of the image TODO TODO do we need this??
*
* @return encryption_detected_result containing the result of the check. null for certain types of errors.
*/
encryption_detected_result*
detectDiskEncryption(TSK_IMG_INFO * img_info, TSK_DADDR_T offset) {
encryption_detected_result* result = (encryption_detected_result*)tsk_malloc(sizeof(encryption_detected_result));
if (result == NULL) {
return result;
}
result->encryptionType = ENCRYPTION_DETECTED_NONE;
result->desc[0] = '\0';
if (img_info == NULL) {
return result;
}
if (offset > (uint64_t)img_info->size) {
return result;
}
// Read the beginning of the image. There should be room for all the signature searches.
size_t len = 1024;
char* buf = (char*)tsk_malloc(len);
if (buf == NULL) {
return result;
}
if (tsk_img_read(img_info, offset, buf, len) != len) {
free(buf);
return result;
}
// Look for Symatec PGP signature
if (detectSymantecPGP(buf, len)) {
result->encryptionType = ENCRYPTION_DETECTED_SIGNATURE;
snprintf(result->desc, TSK_ERROR_STRING_MAX_LENGTH, "Symantec PGP encryption detected");
free(buf);
return result;
}
// Look for McAfee Safeboot signature
if (detectMcAfee(buf, len)) {
result->encryptionType = ENCRYPTION_DETECTED_SIGNATURE;
snprintf(result->desc, TSK_ERROR_STRING_MAX_LENGTH, "McAfee Safeboot encryption detected");
free(buf);
return result;
}
// Look for Sophos Safeguard
if (detectSophos(buf, len)) {
result->encryptionType = ENCRYPTION_DETECTED_SIGNATURE;
snprintf(result->desc, TSK_ERROR_STRING_MAX_LENGTH, "Sophos Safeguard encryption detected");
free(buf);
return result;
}
// Look for Guardian Edge signature
if (detectGuardianEdge(buf, len)) {
result->encryptionType = ENCRYPTION_DETECTED_SIGNATURE;
snprintf(result->desc, TSK_ERROR_STRING_MAX_LENGTH, "Guardian Edge encryption detected");
free(buf);
return result;
}
// Look for Check Point signature
if (detectCheckPoint(buf, len)) {
result->encryptionType = ENCRYPTION_DETECTED_SIGNATURE;
snprintf(result->desc, TSK_ERROR_STRING_MAX_LENGTH, "Check Point full disk encryption detected");
free(buf);
return result;
}
// Look for WinMagic SecureDoc signature
if (detectWinMagic(buf, len)) {
result->encryptionType = ENCRYPTION_DETECTED_SIGNATURE;
snprintf(result->desc, TSK_ERROR_STRING_MAX_LENGTH, "WinMagic SecureDoc encryption detected");
free(buf);
return result;
}
printf("No disk encryption found\n");
fflush(stdout);
free(buf);
return result;
}
...@@ -31,4 +31,6 @@ typedef struct encryption_detected_result { ...@@ -31,4 +31,6 @@ typedef struct encryption_detected_result {
encryption_detected_result* detectVolumeEncryption(TSK_IMG_INFO * img_info, TSK_DADDR_T offset); encryption_detected_result* detectVolumeEncryption(TSK_IMG_INFO * img_info, TSK_DADDR_T offset);
encryption_detected_result* detectDiskEncryption(TSK_IMG_INFO * img_info, TSK_DADDR_T offset);
#endif #endif
\ No newline at end of file
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
*/ */
#include "tsk_vs_i.h" #include "tsk_vs_i.h"
#include "tsk\util\detect_encryption.h"
/** /**
...@@ -175,7 +176,22 @@ tsk_vs_open(TSK_IMG_INFO * img_info, TSK_DADDR_T offset, ...@@ -175,7 +176,22 @@ tsk_vs_open(TSK_IMG_INFO * img_info, TSK_DADDR_T offset,
if (vs_set == NULL) { if (vs_set == NULL) {
tsk_error_reset(); tsk_error_reset();
tsk_error_set_errno(TSK_ERR_VS_UNKTYPE);
// Check whether the volume system appears to be encrypted.
// Note that detectVolumeEncryption does not do an entropy calculation - high entropy
// files will be reported by tsk_fs_open_img().
encryption_detected_result* result = detectDiskEncryption(img_info, offset);
if (result != NULL) {
if (result->encryptionType == ENCRYPTION_DETECTED_SIGNATURE) {
tsk_error_set_errno(TSK_ERR_VS_ENCRYPTED);
tsk_error_set_errstr(result->desc);
}
free(result);
result = NULL;
}
else {
tsk_error_set_errno(TSK_ERR_VS_UNKTYPE);
}
return NULL; return NULL;
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment